Introduction to the Design and Title of Presentation Cryptanalysis - PowerPoint PPT Presentation

Introduction to the Design and Title of Presentation Cryptanalysis of Cryptographic Hash Functions Bart Preneel KU Leuven - COS IC firstname.lastname@ esat.kuleuven.be Design and S ecurity of Cryptographic Functions, Algorithms and Devices Albena, July 2013 Insert presenter logo here on slide master

Hash functions X.509 Annex D RIPEMD-160 SHA-3 MDC-2 SHA-256 MD2, MD4, MD5 SHA-512 SHA-1 This is an input to a crypto- graphic hash function. The input is a very long string, that is reduced by the hash function to a h string of fixed length. There are 1A3FD4128A198FB3CA345932 additional security conditions: it should be very hard to find an input hashing to a given value (a preimage) or to find two colliding inputs (a collision). 2

Applications • short unique identifier to a string – digital signatures – data authentication • one-way function of a string – protection of passwords – micro-payments • confirmation of knowledge/commitment • pseudo-random string generation/key derivation • entropy extraction • construction of MAC algorithms, stream ciphers, block ciphers,… 2005: 800 uses of MD5 in Microsoft Windows 3

Agenda • Definitions • Iterations (modes) • Compression functions • Constructions • SHA-3 • Conclusions 4

Hash function flavors cryptographic hash function this talk MAC MDC OWHF CRHF UOWHF (TCR) 5

Informal definitions • no secret parameters • input string x of arbitrary length ⇒ output h(x) of fixed bitlength n • computation “easy” • One Way Hash Function (OWHF) – preimage resistance 2 nd preimage resistance – • Collision Resistant Hash Function (CRHF): OWHF + – collision resistant 6

S ecurity requirements (n-bit result) collision 2 nd preimage preimage ≠ ≠ ? x ? ? ? h h h h h = h(x’) h(x) = h(x) h(x) h(x’) 2 n/2 2 n 2 n 7

Preimage resistance preimage • in a password file, one does not store – (username, password) ? • but – (username,hash(password)) • this is sufficient to verify a password h • an attacker with access to the password file has to find a preimage h(x) 2 n 8

S econd preimage resistance 2 nd preimage x ≠ x Channel 1: high capacity and insecure ? h(x) Channel 2: low capacity but secure (= authenticated – cannot be modified) h h • an attacker can modify x but not h(x) • he can only fool the recipient if he h(x) = h(x’) finds a second preimage of x 2 n 9

Collision resistance • hacker Alice prepares two versions collision of a software driver for the O/S ≠ company Bob x’ x – x is correct code – x’ contains a backdoor that gives Alice access to the machine • Alice submits x for inspection to Bob h h • if Bob is satisfied, he digitally signs h(x) with his private key • Alice now distributes x’ to users of = h(x’) h(x) the O/S; these users verify the signature with Bob’s public key 2 n/2 • this signature works for x and for x’, since h(x) = h(x’) 10

Pseudo-random function computationally indistinguishable from a random function prf = Pr [ K ← K : A hK(.) ⇒ 1] - Pr [ f ← RAND(m,n) : A f ⇒ 1] $ $ Adv h RAND(m,n): set of all functions from m-bit to n-bit strings K h f ? or ? This concept makes only D sense for a function with a secret key 11

Indifferentiability from a random oracle or PRO property [Maurer+04] variant of indistinguishability appropriate when distinguisher has access to inner component (e.g. building block of a hash function) ∃ Simulator S, ∀ distinguisher D, Adv PRO (H,S) is small H FIL VIL RO S RO (hash function) ? or ? D 12

Brute force (2 nd ) preimage • multiple target second preimage (1 out of many): – if one can attack 2 t simultaneous targets, the effort to find a single preimage is 2 n-t • multiple target second preimage (many out of many): – time-memory trade-off with Θ (2 n ) precomputation and storage Θ (2 2n/3 ) time per (2 nd ) preimage: Θ (2 2n/3 ) [Hellman’80] • answer: randomize hash function with a parameter S (salt, key, spice,…) 13

The birthday paradox how many people r do I need to have in a room to have a probability of p=50% to have at least 2 people with the same birthday? answer: 23 what is the probability that the birthdays of r people are distinct? r terms q = 1 - p = 1 . 364/365 . 363/365 . 362/365 … (365-(r-1))/365 q = 1-p ≈ 0.5 for r = 23 intuition: number of distinct pairs of people is 23.22/2 = 253; each pair has probability 1/365 to have the same birthday exercise: how many people do you need in a room to have a probability of 0.50 to have 3 people with the same birthday? 14

The birthday paradox (2) • given a set with S elements – choose r elements at random (with replacements) with r « S – the probability p that there are at least 2 equal elements (a collision) ≅ 1 - exp ( - r(r-1)/2S) • more precisely, it can be shown that – p ≥ 1 - exp ( - r(r-1)/2S) – if r < √ 2S then p ≥ 0.6 r (r-1)/2S ⇒ for a hash function with an n-bit result, a collision can be found in time 2 n/2 and memory 2 n/2 15 15

Brute force attacks in practice • (2 nd ) preimage search – n = 128: 23 B$ for 1 year if one can attack 2 40 targets in parallel • parallel collision search: small memory using cycle finding algorithms (distinguished points) – n = 128: 1 M$ for 8 hours (or 1 year on 100K PCs) – n = 160: 90 M$ for 1 year – need 256-bit result for long term security (30 years or more) 16

Relation between properties [Rogaway-Shrimpton’04] [Stinson’06] [Reyhanitabar-Susilo-Mu’10] [Andreeva-Stam’10] Even if Coll ⇒ xSEC/Pre: bound always 2 n/2 << 2 n 17

Properties in practice • collision resistance is not always necessary • other properties may be needed: – PRF: pseudo-randomness if keyed (with secret key) – PRO: pseudo-random oracle property (indifferentiable from a random oracle) – but see [Ristenpart-Shacham-Shrimpton’11] – near-collision resistance – partial preimage resistance (most of input known) – multiplication freeness • how to formalize these requirements and the relation between them? 18

Iteration (mode of compression function) 19 19 19

How not to construct a hash function • Divide the message into t blocks x i of n bits each Message block 1: x 1 ⊕ Message block 2: x 2 ⊕ … ⊕ Message block t: x t = Hash value h(x) 20

Hash function: iterated structure IV H 1 H 2 H 3 g f f f f x 1 x 2 x 4 x 3 • split messages into blocks of fixed length and hash them block by block with a compression function f • need padding at the end efficient and elegant…. but … 21

S ecurity relation between f and h • iterating f can degrade its security – trivial example: 2 nd preimage IV H 1 H 2 H 3 g f f f f x 1 x 2 x 4 x 3 IV = H 1 H 3 H 2 g f f f x 2 x 4 x 3 22

S ecurity relation between f and h (2) • solution: Merkle-Damgård (MD) strengthening – fix IV, use unambiguous padding and insert length at the end • f is collision resistant ⇒ h is collision resistant [Merkle’89-Damgård’89] • f is ideally 2 nd preimage resistant ⇔ h is ideally 2 nd preimage resistant [Lai-Massey’92] ? 23 23

S ecurity relation between f and h (3) length extension: if one knows h(x), easy to compute h(x || y) without knowing x or IV IV H 1 H 2 H 3 = h(x) f f f x 1 x 2 x 3 H 4 = h(x || y) IV H 1 H 2 H 3 f f f f x 1 x 2 x 3 y solution: output transformation IV H 1 H 2 H 3 f f f f g x 1 x 2 x 3 x 4 24

More on property preservation • PRO preservation ⇒ Col, Sec and Pre for ideal compression function – but for narrow pipe bounds for Sec and Pre are at most 2 n/2 rather than 2 n many more results 25

Attacks on MD-type iterations • long message 2 nd preimage attack [Dean-Felten-Hu'99], [Kelsey-Schneier’05] – Sec security degrades lineary with number 2 t of message blocks hashed: 2 n-t+1 + t 2 n/2+1 – appending the length does not help here! • multi-collision attack and impact on concatenation [Joux’04 ] • herding attack [Kelsey-Kohno’06] – reduces security of commitment using a hash function from 2 n – on-line 2 n-t + precomputation 2.2 (n+t)/2 + storage 2 t 26 26

How (NOT) to strengthen a hash function? [Coppersmith’ 85][Joux’ 04] • answer: concatenation • h 1 (n1-bit result) and h 2 (n2-bit result ) • intuition: the strength of g against h 1 h 2 collision/(2 nd ) preimage attacks is the product of the strength of h 1 and h 2 — if both are “independent” g(x) = h 1 (x) || h 2 (x) • but…. 27

Multiple collisions ≠ multi-collision Assume “ideal” hash function h with n-bit result • Θ(2 n/2 ) evaluations of h (or steps): 1 collision – h(x)=h(x’) • Θ(r. 2 n/2 ) steps: r 2 collisions – h(x 1 )=h(x 1 ’) ; h(x 2 )=h(x 2 ’) ; … ; h(x r 2 )=h(x r 2 ’) • Θ(2 2n/3 ) steps: a 3-collision – h(x)= h(x’)=h(x’’) • Θ(2 n(t-1)/t ) steps: a t-fold collision (multi-collision) – h(x 1 )= h(x 2 )= … =h(x t ) 28